Polynomial fully homomorphic encryption system based on coefficient mapping transform

ABSTRACT

A polynomial complete homomorphic encryption method based on the coefficient mapping transformation. A plaintext is expressed as a polynomial consisting of a set of random values, two sets of random coefficient factors and a random constant of a specified mapping function, and in the polynomial: the expression and a set of random coefficient factors of the specified mapping function are taken as a key; another set of random coefficient factors, a set of random arguments and random constants of the mapping function are taken as the ciphertexts for homomorphic operations, so that the part of function key performs three different mappings and then undergoes numerical fitting to obtain the family of operational support functions consisting of three sub-functions respectively, which are used to perform the homomorphic operation of the ciphertext based on the family of operational support functions and return to the locality for decryption by the key.

This application is the U.S. national phase of International ApplicationNo. PCT/CN2016/075935 Filed on 9 Mar. 2016 which designated the U.S. andclaims priority to Chinese Application No. CN 201510192143.1 filed on 21Apr. 2015, the entire contents of each of which are hereby incorporatedby reference.

TECHNICAL FIELD

The invention relates to a technology in the field of informationsecurity, and more specifically, to a polynomial complete homomorphicencryption SYSTEM based on the coefficient mapping transformation.

DESCRIPTION OF RELATED ART

Homomorphic encryption is an encryption method that processes data thathave been cryptographically isomorphic to produce an output that isdecrypted, the result of which is the same as that output from the samemethod of processing unencrypted raw data.

In 1978, Rivest, Adleman and Dertouzos first proposed the concept ofhomomorphic encryption in On Data Banks and Privacy Homomorphisms(Foundations of Secure Communication, pp. 169-177, Academic Press), andat that time they used the term “privacy homomorphism”. In this paper,Rivest et al., proposed several candidate encryption algorithmssimultaneously, which have the characteristics of homomorphism. Thepolynomial encryption algorithm is one of them. Although it has theadvantages of simple principle, easy implementation and high computingspeed, it cannot be directly used because it is vulnerable to aplaintext attack and the security is not guaranteed. Other candidatealgorithms were soon found with the potential security issues and, atthe same time, slowly faded out of sight because of the lack of newalgorithms. The issue of homomorphic encryption was again of interest tofellow scholars in 1991, and Feigenbaum, Merritt's Open Questions, TalkAbstracts, and Summary of Discussions (DIMACS Series in DiscreteMathematics and Theoretical Computer Science, Vol 2, pp. 1-45) reviewingseveral outstanding issues in the field of applied mathematicsreinstated the thinking on this important issue. However, the researchresults were still very few later, without any breakthrough.

In 2009, Craig Gentry first disclosed a homomorphic encryption algorithmbased on ideal lattices in his Ph.D. thesis: A Fully HomomorphicEncryption Scheme, and formally used the term “fully homomorphicencryption”, which lays a foundation for the research in this field.This method introduces the “random noise” for encryption and uses theRSA-like algorithm to solve the problem of integer factorization as abasis for its security. The data cleaning operation is introduced aftereach step of homomorphic operation so that the size of the noise isalways kept without affecting the range of the calculation result.However, due to the complexity of the algorithm, the complexity of theoperation, and the encryption of each bit of plaintext, which results ina huge amount of computation and a large storage space required for theciphertext, it is difficult to be applied to actual services.

Almost all of the research has since been revamped and enhanced aroundCraig's approach. Against many problems such as a large amount ofcomputation, a large ciphertext storage space and a high ciphertextexpansion speed of the original method, a great number of research hasbeen done and many achievements have been made, such as FullyHomomorphic Encryption without Bootstrapping disclosed by Z. Brakerski,C. Gentry, and V. Vaikuntanathan in ITCS 2012 and Efficient FullyHomomorphic Encryption from (Standard) LWE disclosed by Z. Brakerski andV. Vaikuntanathan in FOCS 2011 (IEEE). The framework based on theoriginal method proposes a BGV method taking Learning with Errors (LWE)as the basis of security, which reduces the computational complexity ofhomomorphic computation and makes the growth of noise variable moreslow, thus reducing the data cleaning operation. On-the-Fly MultipartyComputation on the Cloud via Multikey Fully Homomorphic Encryptiondisclosed by Lopez-Alt, Tromer and Vaikuntanathan in STOC 2012 ACMproposes a LTV method based on the principle of on-grid encryption,which is also based on the optimized goal of reducing the amount ofcomputation and slowing the growth of noise. Batch Fully HomomorphicEncryption over the Integers disclosed by Coron, Lepoin and Tibouchi inEUROCRYPT 2013 Springer has been improved based on the original methodso that the encryption for all bits can be compressed into the sameciphertext, not only effectively reducing the size of the ciphertext,but also to some extent reducing the amount of computation; however, thenoise still cannot be effectively controlled, so the data cleaningoperation is still indispensable.

The research results listed above, as well as almost all the otherstudies, cannot completely get rid of the ideas and framework of theoriginal Craig method. Therefore, although the new method has madesubstantial improvements over the original method, the actualimplementation of the algorithm still requires huge computationalresources and storage resources and is hard to be actually applied toactual services. This is why, although the demand is clear, so far therehave not been any examples of commercial applications of homomorphicencryption algorithms in the world.

BRIEF SUMMARY OF THE INVENTION

In view of the above shortcomings in the prior art, the inventionproposes a polynomial complete homomorphic encryption SYSTEM based onthe coefficient mapping transformation, which directly operates onciphertext without revealing plaintext to provide a safe data storageand an operating environment Based on the improved polynomialhomomorphic encryption principle, the invention can directly encrypt anarbitrary integer or a real number, and performs the function mappingtransformation on the polynomial coefficient and takes the mappingfunction itself as a part of the key, thus eliminating the potentialdangers of the original method relying on the difficulty in solving thegeneral-form function equation. Compared with the prior art, thecomputing speed is significantly increased, and the required ciphertextvolume and expansion speed are smaller, which is more conducive to theachievement of various ways, so that the data owners can safely usevarious cloud computing services without having to worry about theirsensitive and confidential data that would be revealed. The cloudservice providers can also focus on customer value and serviceexcellence without having to worry that the customers are afraid to usethe services that they provide for fear of the data security.

The invention is achieved based on the following technical solutions:

The invention relates to a polynomial complete homomorphic encryptionsystem, comprising a client and a server, wherein:

the client consists of a circuit which is configured to generate a key Kand an operation supporting function family G, and to encrypt theplaintext P or decrypt the ciphertext C;

the server consists of a memory which is configured to receive theciphertext C and the operation supporting function family G, and acircuit which is to perform a homomorphic operation on the ciphertextaccording to the operation supporting function family G.

Preferably, the server is provided with a database for storing theciphertext, and more preferably, provided with a ciphertext IDcorresponding to the ciphertext.

The homomorphic operation comprises four basic operations betweenciphertext and plaintext or ciphertext, that is, addition, subtraction,multiplication and division.

Once generated, the key K is stored only on the client, neither allowingthe external programs or unauthorized visitors to access the key, norsending or transmitting the key in any form. Therefore, the dataencryption and decryption operations must be done locally on the clientside.

More preferably, the client is provided with a complete key accesscontrol mechanism. For example, the key is stored in a proprietaryencryption memory chip, so that the way of authentication such as theaccess password verification or the finger authentication is requiredwhen the key is read to ensure that the visitor owns the correspondingauthority.

The System above performs polynomial complete homomorphic encryption asthe following steps: Firstly, a plaintext is expressed as a polynomialconsisting of a set of random values, two sets of random coefficientfactors and a random constant of a specified mapping function, and inthe polynomial: the expression and a set of random coefficient factorsof the specified mapping function are taken as a key; another set ofrandom coefficient factors, a set of random arguments and randomconstants of the mapping function are taken as the ciphertexts forhomomorphic operations, so that the part of function key performs threedifferent mappings and then undergoes numerical fitting to obtain thefamily of operational support functions consisting of threesub-functions respectively, which are used to perform the homomorphicoperation of the ciphertext based on the family of operational supportfunctions and return to the locality for decryption by the key.

The invention specifically comprises the following steps:

Step 1: for a plaintext P∈R of any real number, the real-number vectorsof A={a_(i)|i∈I} and Y={y_(i)|i∈I} are randomly chosen, satisfying that:

$\begin{matrix}\left\{ \begin{matrix}{{{\sum\limits_{i \in I}{a_{i} \cdot {f\left( x_{i} \right)} \cdot y_{i}}} + B} = P} \\{{f\left( x_{i} \right)} > 0}\end{matrix} \right. & (1)\end{matrix}$

wherein: f(x) is differentiable, and the real-number vectors areX={x_(i)|i∈I} and B∈R, I is the subscript set of the polynomial keydimension, usually, I={1, 2}; ƒ(x_(i)) is the part of function key,preferably, the composite function ƒ( ) is a periodic function.

The corresponding key generated is K={ƒ( ),Y}, the ciphertext for P is:C={A, X, B}.

The numerical fitting adopts, but not limited to, the least squaremethod.

Step 2: the homomorphic result of the ciphertext C_(r) is obtained byway of performing the homomorphic operation between the ciphertexts orbetween the plaintext and the ciphertext through the operationsupporting function family G at different places.

The homomorphic operations comprise addition, subtraction,multiplication and division, and any combination thereof.

Step 3: the homomorphic result of the plaintext P_(r) is obtained viadecryption by way of substituting the homomorphic result of theciphertext C_(r) into ƒ and Y in the key of K.

Technical Effects

Comparing with the prior art, the greatest improvement of the inventionlies in the computational efficiency of the homomorphic operation andthe requirement of storage space for the ciphertext: the plaintext spaceof the encryption algorithm in the invention is the entire real-numberset R, the ciphertext space is R^(n), and when n=5, adequate securitycan be ensured. The requirement of storage space for the entireciphertext is significantly reduced comparing with the prior art. For aplaintext of common numerical type, a ciphertext can be obtained via theoperation of encryption algorithm only once, whereas the prior artrequires repeated iterative operations, which greatly speeds up theoperation of encryption and decryption. Meanwhile, for the homomorphicoperation of ciphertext, the operation process of the method in theinvention has a higher speed but fewer iterative steps, and theciphertext expansion speed of the operation result is also much lowerthan the prior art.

In addition, under the background that the cloud computing service iswidely used, the technology of homomorphic encryption in the inventioncan make the real value of the data visible only to the data owner whoowns the key; the data storage side, data transmission pipes and dataoperators who cannot guarantee the security, data will appear in theform of ciphertext, so that the storage, transmission and operationproviders can only provide the corresponding storage space, transmissionbandwidth and computing power, but cannot know the real value of thedata at all. The result of the calculation is still expressed inciphertext, and the data owner can decrypt it with the password so thatthe correct result is obtained.

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS

FIG. 1 is a schematic diagram of the basic application of the invention;

FIG. 2 is a schematic diagram of the process of key generation accordingto the invention;

FIG. 3 is a schematic diagram of the embodiment of the process of dataencryption;

FIG. 4 is the first schematic diagram of the embodiment of thehomomorphic operation of ciphertext;

FIG. 5 is the second schematic diagram of the embodiment of thehomomorphic operation of ciphertext;

FIG. 6 is a schematic diagram of the embodiment of the process of datadecryption.

DETAILED DESCRIPTION OF THE INVENTION

The embodiments of the invention are described in detail below. Theembodiments are implemented on the premise of the technical solutions inthe invention, with the detailed implementation manners and specificoperation procedures given. However, the protection scope of theinvention is not limited to the following embodiments.

Embodiment 1

The invention can be implemented in various ways corresponding todifferent requirement environments and application scenarios, such asUSBKey, API, SDK, chip, expansion card, dedicated device. As shown inFIG. 1 and FIG. 2, any way of implementation comprises the client andthe server, and the steps of a typical homomorphic encryption operationare as follows:

1) the client invokes a locally-stored key to encrypt sensitiveplaintext data to obtain a ciphertext;

2) the client sends the ciphertext and the operation request to theserver, with the key reserved on the client;

3) the server invokes the corresponding operation supporting functionfamily and uses the homomorphic function to perform the requiredoperation on the ciphertext uploaded by the client, and then returns theoperation result of the ciphertext;

4) the client receives the resulted ciphertext, invokes the local key todecrypt, and outputs the resulted plaintext.

In such a process, the key and plaintext data only appear on the client,and the data are always in the form of ciphertext throughout thetransmission, operation and storage operations, so there is nopossibility of data leakage.

The following is a detailed description of the homomorphic encryptionoperation:

Step 1: a key that consists of the function key part and the polynomialkey part is generated on the client as follows:

1.1) a number of unitary or multivariate functions are randomly chosen,and for each unitary or multivariate function, the parameters arerandomly generated for the linear combination or composite combinationto form the function key part, that is, ƒ( ).

The unitary functions comprise but are not limited to various analyticfunctions, such as positive proportional function, inverse proportionalfunction, sine function, cosine function, logarithmic function,exponential function and power function.

For example, a linear combination of a unitary sine function sin(x) anda unitary power function x³ may form a function key ƒ(x)=10 sin(6x)+5x³,or a composite combination may generate a function key ƒ(x)=12sin(8x³+6).

When the strength of encryption needs to be increased, the binary ormultivariate functions are chosen to constitute the function key part;taking a binary function as an example: ƒ(m_(i),n_(j)),i∈I, j∈I, thecorresponding ciphertext will have more than one dimension, that isC={A, M, N, B} and meanwhile, the operation supporting function family Gwill become more complex while the corresponding key strength will beincreased, but the corresponding amount of operation is also larger.

The function key part is a differentiable function, and its value in thedefinition domain should be greater than zero.

In this embodiment, preferably, the function key part that changesrelatively flatly is used.

The change refers to

$\left| \frac{\partial f}{\partial x} \middle| {\leq K} \right.,{x \in D},$

wherein: D is the definition domain of ƒ( ), K is a positive realnumber, that is, a flat index.

In this embodiment, preferably, the flat index is less than or equal to10.

In this embodiment, a basic list of functions satisfying the requirementis preset in a key generation algorithm implemented on the client, sothat these basic functions may be randomly combined during generation toobtain the function form of the function key part.

1.2) The polynomial key part Y{y_(i)|i∈I} is randomly generated, thusforming a complete key, that is, K={ƒ( ),Y}.

In this embodiment, preferably, the polynomial key part y_(i) isrequired to be a positive integer.

The key can be stored in any encryption medium local to the client, suchas an encrypted file, an encryption chip, a USB flash drive, or othersimilar types of memory.

1.3) The client or server generates the operation supporting functionfamily G={g₁, g₂, g₃} through function fitting which is saved by theserver. Since each operation supporting function family G corresponds toa function key, the corresponding user, that is, the unique identifierof the ciphertext sender, needs to be recorded when the server receivesthe operation supporting function family G.

The fitting generation can be directly performed on the client, and theresult of the fitting, that is, the expression of the operationsupporting function family G, is transmitted to the server; the clientcan also perform discrete sampling of the operation supporting functionfamily G and output the sampling point data to the server, so that theoperation supporting function family G can be calculated by the serveraccording to the local fitting strategy or the dynamic local fittingstrategy;

During the process of computer operations, a problem of precision mayoccur in the floating-point operation, so the fitting described can beset to the required precision at initialization based on the specifichardware settings.

The operation supporting function family G comprises the numericalfitting of

$\begin{matrix}\left\{ \begin{matrix}{g_{1}\left( {\alpha,\beta} \right)} \\{g_{2}\left( {\alpha,\beta} \right)} \\{g_{3}\left( {\alpha,\beta} \right)}\end{matrix} \right. & (2)\end{matrix}$

wherein: g_(i)(α,β) is the numerical fitting of

$\frac{f(\alpha)}{f\left( {h_{1}\left( {\alpha,\beta} \right)} \right)}{g_{2}\left( {\alpha,\beta} \right)}$

is the numerical fitting of

$\frac{f(\beta)}{f\left( {h_{1}\left( {\alpha,\beta} \right)} \right)},$

g₃(α,β) is the numerical fitting of

$\frac{{f(\alpha)} \cdot {f(\beta)}}{f\left( {h_{2}\left( {\alpha,\beta} \right)} \right)},$

while α

β∈X, h₁(α,β) and h₂(α,β) are any functions that satisfyh₁(α,β)≠h₂(α,β)≠α≠β.

In this embodiment, h₁=α+β+1, h₂=α+β+2, α>0 and β>0 are chosen.

Preferably, the operation supporting function family G does not appearin the form of an expression so as to improve the security of theinvention; more preferably, it appears in the form of a numericalfitting to express the operation supporting function family G.

In some cases, for example, if the function key part f itself is notcomplex enough, it can still be solved to a certain degree by some veryhuge number of operations, and the function key part f can be locallyrestored by the operation supporting function family G. So a variety ofG deformations can be defined to improve the security, and there aremany types of such deformations.

The numerical fitting means that the values of G corresponding to eachsampling point are recorded through wide and intensive discrete samplingof the definition domain of the operation supporting function family G,and then approximate expressions of G are made through the surfacefitting technology; the embodiments are implemented using the surfacefitting technology and the numerical calculation technology, such asusing the least-square method to perform the surface fitting.

When the surface of the operation supporting function family G is toocomplex, the numerical value fitting can be obtained by re-splicing uponthe local fitting or the method of dynamic local fitting. That is tosay, when getting a value by operation is required, the final value canbe obtained by means of local surface fitting in the surface area in thevicinity of the value evaluation point.

It is very difficult to restore the expression of ƒ without knowing theconcrete form of the original function ƒ only by computing the fittingexpression of the operation supporting function family G or the discretevalue point information. This is also one of the security guarantees ofthe encryption method in the invention.

Described here is the key generation process, that is, the clientinitialization process. This process is only initialized before a useruses the system for the first time, and the user only needs to directlyaccess the generated key in future use.

Step 2: as shown in FIG. 3, the sensitive data are encrypted by usingthe generated key as follows:

The data to be encrypted in this embodiment are the production cost P₁of one product and the total sales contract offer P₂ of the product,both of which are floating-point numerical data.

2.1) For the function key part ƒ( ), an argument x_(i) is randomlychosen in its definition domain to obtain the function value ƒ(x_(i)) ofthe point, and then the function value is multiplied by thecorresponding component of the polynomial key to obtain ƒ(x_(i))·y_(i),wherein i∈I and I is the subscript set of the polynomial key dimensions.

Each element in the set of polynomial key dimensions is a positiveinteger, and the maximum value of 2 can meet the security requirement;the value can be increased according to the encryption strengthrequirement, and generally, the maximum value should not be greater than10. If the maximum value is 4, I is equal to the set {1,2,3,4}.

2.2) a_(i) is randomly chosen to obtain an item, α_(i)·ƒ(x_(i))·y_(i),of the ciphertext polynomial.

2.3) Step 2.1˜2.2 are repeated until iterating through the set of I, and

$\sum\limits_{i \in I}{a_{i} \cdot {f\left( x_{i} \right)} \cdot y_{i}}$

is finally obtained.

2.4) B is obtained by Formula 1), and so far, all components of theciphertext, A={a_(i)|i∈I} and X={x_(i)|i∈I}, as well as B, have beenobtained. The ciphertext

C₂ corresponding to the preceding plaintext

P₂ is obtained in this process.

When the function key part is a binary function, the correspondingciphertext is C={A, M, N, B} and the corresponding encryption strengthis greatly improved.

Step 3: as shown in FIG. 5, after the server obtains multipleciphertexts, homomorphic operations on ciphertexts, including addition,subtraction, multiplication and division, are performed based on theoperation supporting function family G stored on the server.

i) The addition and subtraction in homomorphism are taken as an example.Supposing an enterprise needs to calculate the gross profit of theproduct sales contract, wherein the production cost of the product issensitive data and its ciphertext is C₁; the total offer of the contractis sensitive data and its ciphertext is C₂; the quantity of productsales is the non-sensitive data of the open bidding without encryptionand its value is 100, then the gross profit of the contract can becalculated as ciphertext C₃, that is C₃=C₂−100*C₁, and the server canobtain the gross profit C₃, that is C₃={A₃, X₃, B₃}, by sequentiallycalculating 100·C₁ and C₂−100·C₁, wherein:

A ₃ ={a _(3i) |i∈I},a _(3i) =a _(2i) ·g ₂(x _(1i) ,x _(2i))−100·a _(1i)·g ₁(x _(1i) ,x _(2i))

X ₃ ={x _(3i) |i∈I},x _(3i) =h ₁(x _(2i) ,x _(1i))

B ₃ =B ₂−100·B ₁

The calculation result of the homomorphic encryption may be stored in aciphertext manner in a database and used in other operations afterwardswithout needing to know the actual value of the ciphertext, and onlywhen the form is displayed or the report is printed, the decryptionalgorithm is invoked on the client and the plaintext can be restored,for the authorized user who owns the key.

ii) The multiplication in homomorphism is taken as an example. Supposingan enterprise signs the same product sales contract with severalcustomers at the same time with the number of contracts being sensitivedata and the ciphertext being C₄, the total gross profit C₅ is: C₅=C₃·C₄and C₅={A₅, X₅, B₅}, wherein:

A ₅ ={a _(5ij) |i∈I,j∈I}∪{B ₄ ·a _(3i) |i∈I}∪{B ₃ ·a _(4j) |j∈I},a_(5ij) =a _(3i) ·a _(4j) ·g ₃(x ₃ ,x ₄)

X ₅ ={x _(5ij) |i∈I,j∈I}∪{x _(3i) |i∈I}∪{x _(4j) |j∈I},x _(5ij) =h ₂(x_(3i) ,x _(4j))

B ₅ =B ₃ ·B ₄

iii) The division of homomorphism is taken as an example. The polynomialdivision algorithm is used to introduce the fractional expression, andafter the denominator polynomial is increased, the division is convertedinto the combination of addition and multiplication, so that thecalculation result is obtained finally. Therefore, in the context ofdivision, the expression of a more general plaintext should be in afractional form, such as

$P = {\frac{P_{1}}{P_{2}} = {\frac{{\sum\limits_{i \in I}{a_{1i} \cdot {f\left( x_{1i} \right)} \cdot y_{i}}} + B_{1}}{{\sum\limits_{i \in I}{a_{2i} \cdot {f\left( x_{2i} \right)} \cdot y_{i}}} + B_{2}}.}}$

The ciphertext is specifically expressed as:

$P_{a} = {\frac{P_{1}}{P_{2}} = \frac{{\sum\limits_{i \in I}{a_{1i} \cdot {f\left( x_{1i} \right)} \cdot y_{i}}} + B_{1}}{{\sum\limits_{i \in I}{a_{2i} \cdot {f\left( x_{2i} \right)} \cdot y_{i}}} + B_{2}}}$C_(a) = {A₁, X₁, B₁, A₂, X₂, B₂}$P_{b} = {\frac{P_{3}}{P_{4}} = \frac{{\sum\limits_{i \in I}{a_{3i} \cdot {f\left( x_{3i} \right)} \cdot y_{i}}} + B_{3}}{{\sum\limits_{i \in I}{a_{4i} \cdot {f\left( x_{4i} \right)} \cdot y_{i}}} + B_{4}}}$C_(b) = {A₃, X₃, B₃, A₄, X₄, B₄}

then the result C_(r)={A₅, X₅, B₅, A₆, X₆, B₆} of the divisionC_(r)=C_(a)/C_(h) is:

A ₅ ={a _(5ij) |i∈I,j∈I}∪{B ₃ ·a _(1i) |i∈I}∪{B ₁ ·a _(3j) |j∈I},a_(5ij) =a _(1i) ·a _(3j) ·g ₃(x ₁ ,x ₃)

X ₅ ={x _(5ij) |i∈I,j∈I}∪{x _(1i) |i∈I}∪{x _(3j) |j∈I},x _(5ij) =h ₂(x_(1i) ,x _(3j))B ₅ =B ₁ ·B ₃

A ₆ ={a _(6ij) |i∈I,j∈I}∪{B ₄ ·a _(2i) |i∈I}∪{B ₂ ·a _(4j) |j∈I},a_(6ij) =a _(2i) ·a _(4j) g ₃(x ₂ ,x ₄)

X ₆ ={x _(6ij) |i∈I,j∈I}∪{x _(2i) |i∈I}∪{x _(4j) |j∈I},x _(6ij) =h ₂(x_(2i) ,x _(4j))B ₆ =B ₂ ·B ₄

In a fractional form, when the ciphertext homomorphism addition isperformed, the fractions must be reduced to a common denominator, thatis, the molecular part of a ciphertext is multiplied by the denominatorpart of another ciphertext as a new molecule, and then the new moleculeis summed up with a new molecule part of another ciphertext upon thesame operation to generate the numerator of the result. At the sametime, the denominator parts of two ciphertexts are multiplied as thedenominator of the result, and the final result is obtained aftersimplification.

In a fractional form, when the homomorphic operation of multiplicationof the ciphertext is performed, the numerator and denominator of the twociphertexts are multiplied respectively as a new numerator anddenominator, and the final result is obtained after simplification.

In Step 3, when the homomorphic operation is performed on the server,the server may adopt the ciphertext-ID-based method to perform thehomomorphic calculation upon retrieval to the cached ciphertext orthrough the acceptance of the ciphertext and operator sent by the clientdirectly.

The ciphertext ID is an ID number corresponding to the cachedciphertext, and preferably, the ID number is stored on the client.

As shown in FIG. 4, in order to use the process of the ciphertext IDhomomorphic operation, the specific steps comprise:

1) The client obtains the operation instruction, including theciphertext ID that needs to be involved in the operation and theoperation operators and other parameters that need to be performed.

2) The ciphertext ID, the homomorphic operator and the operationparameters are sent to the server to retrieve the correspondingciphertext and wait for the operation; after receiving the instruction,the server first reads the corresponding the operation supportingfunction family and then performs the homomorphic operation on theciphertext retrieved in the previous step according to the operationinstruction.

3) The server returns the result of the homomorphic operation to theoperation requester, and the operation result is still in the form ofciphertext.

As shown in FIG. 5, in order to directly use the ciphertext instead ofthe homomorphic operation of the ciphertext ID, the specific stepscomprise:

i) the arithmetic instructions, including the ciphertext to becalculated, arithmetic operators and other parameters, are obtained;

ii) the ciphertext, operator, operation parameters and other data aresent to the server;

iii) after obtaining the operation instruction, the server reads thecorresponding operation supporting function family and completes theoperation requirement on the ciphertext to obtain the ciphertext of theoperation result;

iv) the server returns the operation result to the operation requester.

In Step 4, as shown in FIG. 6, when the client obtains the resultedciphertext upon the homomorphic operation from the server, the resultedciphertext is substituted into the encryption formula (1) to obtain thecorresponding plaintext result.

In case the original plaintext data are numerical, the result of thedecryption in the previous step is the final result; otherwise, the typeconversion is needed to obtain the final decryption result.

Embodiment 2

The difference between this embodiment and Embodiment 1 lies in that theoperation supporting function G adopted comprises:

$\left\{ {\begin{matrix}{g_{1}\left( {\alpha,\beta,\gamma} \right)} \\{{g_{2}\left( {\alpha,\beta} \right)}\mspace{25mu}}\end{matrix},} \right.$

wherein g₁(α,β,γ) is the numerical fitting of

$\frac{{h_{3}(\gamma)} \cdot \left\lbrack {{f(\alpha)} + {\gamma \cdot {f(\beta)}}} \right\rbrack}{f\left( {h_{1}\left( {\alpha,\beta} \right)} \right)},$

g₂(α,β) is the numerical fitting of

$\frac{{f(\alpha)} \cdot {f(\beta)}}{f\left( {h_{2\;}\left( {\alpha,\beta} \right)} \right)},$

α

β∈X, h₁(α,β), h₂(α,β) and h₃(α,β) are any functions that satisfyh₁(α,β)≠h₂(α,β)≠h₃(α,β)≠α≠β;

the corresponding homomorphic operation comprises:

i) addition and subtraction between ciphertext and ciphertext:C_(r)=C₂±C₁, C_(r)={A_(r), X_(r), B_(r)} wherein:

${A_{r} = \left\{ a_{ri} \middle| {i \in I} \right\}},{a_{ri} = {{a_{2i} \cdot {g_{1}\left( {x_{2i},x_{1i},{\pm \frac{a_{1i}}{a_{2i}}}} \right)}}\text{/}{h_{3}\left( {\pm \frac{a_{1i}}{a_{2i}}} \right)}}},{X_{r} = \left\{ x_{ri} \middle| {i \in I} \right\}},{x_{ri} = {h_{1}\left( {x_{2i},x_{1i}} \right)}},{{B_{r} = {B_{2} \pm B_{1}}};}$

ii) multiplication between ciphertext and ciphertext: C_(r)=C₃·C₄,C_(r)={A_(r), X_(r), B_(r)}, wherein:

A _(r) ={a _(rij) |i∈I,j∈I}∪{B ₄ ·a _(3i) |i∈I}∪{B ₃ ·a _(4i) |j∈I},a_(rij) =a _(3i) ·a _(4i) ·g ₂(x ₃ ,x ₄),

X _(r) ={x _(rij) |i∈I,j∈I}∪{x _(3i) |i∈I}∪{x _(4j) |j∈I},x _(rij) =h₂(x _(3i) ,x _(4j))

B _(r) =B ₃ ·B ₄;

ii) division between ciphertext and ciphertext: C_(r)=C_(a)/C_(b),C_(r)={A₅, X₅, B₅, A₆, X₆, B₆}, wherein:

A ₅ ={a _(5ij) |i∈I,j∈I}∪{B ₃ ·a _(1i) |i∈I}∪{B ₁ ·a _(3j) |j∈I},a_(5ij) =a _(1i) ·a _(3j) ·g ₂(x ₁ ,x ₃),

X ₅ ={x _(5ij) |i∈I,j∈I}∪{x _(1i) |i∈I}∪{x _(3j) |j∈I},x _(5ij) =h ₂(x_(1i) ,x _(3j))

B ₅ =B ₁ ·B ₃,

A ₆ ={a _(6ij) |i∈I,j∈I}∪{B ₄ ·a _(2i) |i∈I}∪{B ₂ ·a _(4j) |j∈I},a_(6ij) =a _(2i) ·a _(4j) ·g ₂(x ₂ ,x ₄),

X ₆ ={x _(6ij) |i∈I,j∈I}∪{x _(2i) |i∈I}∪{x _(4j) |j∈I},x _(6ij) =h ₂(x_(2i) ,x _(4j)),

B ₅ =B ₃ ·B ₄.

In this embodiment, g1 becomes a ternary function and the correspondingamount of fitting calculation will increase a lot, with the requirementfor the flatness and complexity off also higher, but the correspondingsecurity will be much higher than the binary function.

Embodiment 3

In order to improve the security, in this embodiment, a function f2 isintroduced when the operation support function G is generated, and itdoes not need to be added to the key and only affects the calculationand expression of the operation supporting function G. It can beunderstood that the operation supporting function G is encrypted. Thespecific expression is as follows:

$\left\{ {\begin{matrix}{g_{1}\left( {\alpha,\beta} \right)} \\{g_{2}\left( {\alpha,\beta} \right)} \\{g_{3}\left( {\alpha,\beta} \right)} \\{g_{4}\left( {\alpha,\beta} \right)} \\{g_{5}\left( {\alpha,\beta} \right)} \\{g_{6}\left( {\alpha,\beta} \right)}\end{matrix},} \right.$

wherein: g₁(α,β) is the numerical fitting of

$\frac{{f(\alpha)} \cdot {f\left( {h_{3}\left( {\alpha,\beta} \right)} \right)}}{f_{2}\left( {h_{1}\left( {\alpha,\beta} \right)} \right)},$

g₂(α,β) is the numerical fitting of

$\frac{{f(\beta)} \cdot {f\left( {h_{3}\left( {\alpha,\beta} \right)} \right)}}{f_{2}\left( {h_{1}\left( {\alpha,\beta} \right)} \right)},$

g₃(α,β) is the numerical fitting of

$\frac{f_{2}(\alpha)}{f\left( {h_{4}\left( {\alpha,\beta} \right)} \right)},$

g₄(α,β) is the numerical fitting of

$\frac{f_{2}(\beta)}{f\left( {h_{4}\left( {\alpha,\beta} \right)} \right)},$

g₅(α,β) is the numerical fitting of

$\frac{{f(\alpha)} \cdot {f(\beta)}}{f\left( {h_{5}\left( {\alpha,\beta} \right)} \right)},$

g₆(α,β) is the numerical fitting of

$\frac{f(\alpha)}{{f(\beta)} \cdot {f\left( {h_{6}\left( {\alpha,\beta} \right)} \right)}},$

α

β∈X, h₁(α,β), h₂(α,β), h₃(α,β) and h₄(α,β) are any functions thatsatisfy h₁(α,β)≠h₂(α,β)≠h₃(α,β)≠h₄(α,β)≠α≠β; f₂( ) is a randomlygenerated function used for encrypting the operation supportingfunction,

the corresponding homomorphic operation comprises:

i) Addition and subtraction between ciphertext and ciphertext:C_(r)=C₂±C₁, C_(r)={A_(r), X_(r), B_(r)}, wherein:

A _(r) ={a _(ri) |i∈I},

a _(ri) =g ₆ ·[a _(2i) ·g ₁(x _(2i) ,x _(1i))·g ₃(h ₁(x _(2i) ,x_(1i)),h ₂(x _(2i) ,x _(1i)))±a _(1i) ·g ₂(x _(2i) ,x _(1i))·g ₄(h ₁(x_(2i) ,x _(1i)),h ₂(x _(2i) ,x _(1i)))],

X _(r) ={x _(ri) |i∈I},

x _(ri) =h ₆(h ₄(h ₁(x _(2i) ,x _(1i)),h ₂(x _(2i) ,x _(1i))),h ₃(h ₁(x_(2i) ,x _(1i))),h ₂(x _(2i) ,x _(1i)))),

B _(r) =B ₂ ±B ₁;

ii) multiplication between ciphertext and ciphertext:C_(r)=C₃·C₄,C_(r)={A_(r), X_(r), B_(r)}, wherein:

A _(r) ={a _(rij) |i∈I,j∈I}∪{B ₄ ·a _(3i) |i∈I}∪{B ₃ ·a _(4j) |j∈I},a_(rij) =a _(3i) ·a _(4j) ·g ₅(x ₃ ,x ₄),

X _(r) ={x _(rij) |i∈I,j∈I}∪{x _(3i) |i∈I}∪{x _(4j) |j∈I},x _(rij) =h₂(x _(3i) ,x _(4j)),

B _(r) =B ₃ ·B ₄;

ii) division between ciphertext and ciphertext:C_(r)=C_(a)/C_(b),C_(r)={A₅, X₅, B₅,A₆, X₆, B₆}wherein:

A ₅ ={a _(5ij) |i∈I,j∈I}∪{B ₃ ·a _(1i) |i∈I}∪{B ₁ ·a _(3j) |j∈I},a_(5ij) =a _(1i) ·a _(3j) ·g ₅(x ₁ ,x ₃),

X ₅ ={x _(5ij) |i∈I,j∈I}∪{x _(1i) |i∈I}∪{x _(3j) |j∈I},x _(5ij) =h ₅(x_(1i) ,x _(3j)),

B ₅ =B ₁ ·B ₃,

A ₆ ={a _(6ij) |i∈I,j∈I}∪{B ₄ ·a _(2i) |i∈I}∪{B ₂ ·a _(4j) |j∈I},a_(6ij) =a _(2i) ·a _(4j) ·g ₅(x ₂ ,x ₄),

X ₆ ={x _(6ij) |i∈I,j∈I}∪{x _(2i) |i∈I}∪{x _(4j) |j∈I},x _(6ij) =h ₅(x_(2i) ,x _(4j)),

B ₆ =B ₂ ·B ₄.

Such an operation supporting function G can prevent a huge amount ofoperation for fitting a ternary function and also greatly improve thesecurity, wherein, f2 is randomly generated only when G is calculatedduring initialization, and the form of f2 is required to be as simple aspossible to prevent using too complicated expressions. At the same time,f2 expression neither needs to be stored on the client, nor needs to besaved on the server, so that it can be directly discarded after theprocess of initialization. This neither affects the client's encryptionand decryption operations, nor affects the server's homomorphicoperation, so in this case the security of G is very high, and it ismore difficult to restore the function key f through G.

What is claimed is:
 1. A polynomial complete homomorphic encryptionsystem, characterized in that, comprising a client and a server,wherein: the client consists of a circuit which is configured togenerate a key K and an operation supporting function family G, and toencrypt the plaintext P or decrypt the ciphertext C; the server consistsof a memory which is configured to receive the ciphertext C and theoperation supporting function family G, and a circuit which is toperform a homomorphic operation on the ciphertext according to theoperation supporting function family G.
 2. The system as claimed inclaim 1, characterized in that the server is provided with a databasefor storing ciphertexts.
 3. The system as claimed in claim 1,characterized in that the server is provided with a ciphertext IDcorresponding to the cached ciphertext.
 4. The system as claimed inclaim 1, characterized in that the client is provided with a key accesscontrol mechanism, which ensures that the visitor owns the authority toaccess the key by the way of authentication.
 5. A polynomial completehomomorphic encryption method based on the coefficient mappingtransformation, characterized in that firstly, a plaintext is expressedas a polynomial consisting of a set of random values, two sets of randomcoefficient factors and a random constant of a specified mappingfunction, and in the polynomial: the expression and a set of randomcoefficient factors of the specified mapping function are taken as akey; another set of random coefficient factors, a set of randomarguments and random constants of the mapping function are taken as theciphertexts for homomorphic operations, so that the part of function keyperforms three different mappings and then undergoes numerical fittingto obtain the family of operational support functions consisting ofthree sub-functions respectively, which are used to perform thehomomorphic operation of the ciphertext based on the family ofoperational support functions and return to the locality for decryptionby the key.
 6. The polynomial complete homomorphic encryption method asclaimed in claim 5, characterized in that, comprising the followingsteps: step 1: for a plaintext P∈R of any real number, the real-numbervectors of A={a_(i)|i∈I} and Y={y_(i)|i∈I} are randomly chosen,satisfying that: $\left\{ {\begin{matrix}{{{\sum\limits_{i \in I}{a_{i} \cdot {f\left( x_{i} \right)} \cdot y_{i}}} + B} = P} \\{{f\left( x_{i} \right)} > 0}\end{matrix},} \right.$ wherein: f(x) is differentiable, and thereal-number ventors are X={x_(i)|i∈I} and B∈B, I is the subscript set ofthe polynomial key dimension, ƒ(x_(i)) is the function key part, thecorresponding key generated is K={ƒ( ),Y} and the ciphertext for P isC={A, X, B}; step 2: the homomorphic result of the ciphertext isobtained by way of performing the homomorphic operation between theciphertexts or between the plaintext and the ciphertext through theoperation supporting function family G at different places; step 3: thehomomorphic result of the plaintext is obtained via decryption by way ofsubstituting the homomorphic result of the ciphertext into ƒ and Y inthe key of K.
 7. The polynomial complete homomorphic encryption methodas claimed in claim 6, characterized in that the numerical fittingadopts the least square method.
 8. The polynomial complete homomorphicencryption method as claimed in claim 6, characterized in that thehomomorphic operations comprise addition, subtraction, multiplicationand division, and any combination thereof.
 9. The polynomial completehomomorphic encryption method as claimed in claim 6, characterized inthat the operation supporting function G generated encrypts itselfthrough the randomly generated function.
 10. The polynomial completehomomorphic encryption method as claimed in claim 6 or 7 or 8,characterized in that; the operation supporting function family G usedfor the homomorphic operation of ciphertext comprises:$\left\{ {\begin{matrix}{g_{1}\left( {\alpha,\beta} \right)} \\{g_{2}\left( {\alpha,\beta} \right)} \\{g_{3}\left( {\alpha,\beta} \right)}\end{matrix},} \right.$ wherein: g_(i)(α,β) is the numerical fitting of$\frac{f(\alpha)}{f\left( {h_{1}\left( {\alpha,\beta} \right)} \right)}{g_{2}\left( {\alpha,\beta} \right)}$is the numerical fitting of$\frac{f(\beta)}{f\left( {h_{1}\left( {\alpha,\beta} \right)} \right)},$g₃(α,β) the numerical fitting of$\frac{{f(\alpha)} \cdot {f(\beta)}}{f\left( {h_{2}\left( {\alpha,\beta} \right)} \right)},$while α, β∈X, h₁(α,β) and h₂(α,β) are any functions that satisfyh₁(α,β)≠h₂(α,β)≠α≠β. the corresponding homomorphic operation comprises:i) addition and subtraction between ciphertext and ciphertext:C_(r)=C₂±C₁, C_(r)={A_(r), X_(r), B_(r)}, wherein:A _(r) ={a _(ri) |i∈I},a _(ri) =a _(2i) ·g ₂(x _(1i) ,x _(2i))±a _(1i)·g ₁(x _(1i) ,x _(2i)),X _(r) ={x _(ri) |i∈I},x _(ri) =h ₁(x _(2i) ,x _(1i)),B _(r) =B ₂ ±B ₁; ii) multiplication between ciphertext and ciphertext:C_(r)=C₃·C₄,C_(r)={A_(r), X_(r), B_(r)}, wherein:A _(r) ={a _(rij) |i∈I,j∈I}∪{B ₄ ·a _(3i) |i∈I}∪{B ₃ ·a _(4j) |j∈I},a_(rij) =a _(3i) ·a _(4i) ·g ₃(x ₃ ,x ₄),X _(r) ={x _(rij) |i∈I,j∈I}∪{x _(3i) |i∈I}∪{x _(4j) |j∈I},x _(rij) =h₂(x _(3i) ,x _(4j)),B _(r) =B ₃ ·B ₄; ii) division between ciphertext and ciphertext:C_(r)=C_(a)/C_(b),C_(r)={A₅, X₅, B₅, A₆, X₆, B₆}, wherein:A ₅ ={a _(5ij) |i∈I,j∈I}∪{B ₃ ·a _(1i) |i∈I}∪{B ₁ ·a _(3j) |j∈I},a_(5ij) =a _(1i) ·a _(3j) ·g ₃(x ₁ ,x ₃),X ₅ ={x _(5ij) |i∈I,j∈I}∪{x _(1i) |i∈I}∪{x _(3j) |j∈I},x _(5ij) =h ₂(x_(1i) ,x _(3j)),B ₅ =B ₁ ·B ₃,A ₆ ={a _(6ij) |i∈I,j∈I}∪{B ₄ ·a _(2i) |i∈I}∪{B ₂ ·a _(4j) |j∈I},a_(6ij) =a _(2i) ·a _(4j) ·g ₃(x ₂ ,x ₄),X ₆ ={x _(6ij) |i∈I,j∈I}∪{x _(2i) |i∈I}∪{x _(4j) |j∈I},x _(6ij) =h ₂(x_(2i) ,x _(4j)),B ₆ =B ₂ ·B ₄.
 11. The polynomial complete homomorphic encryption methodas claimed in claim 6, characterized in that the operation supportingfunction G comprises: $\left\{ {\begin{matrix}{g_{1}\left( {\alpha,\beta,\gamma} \right)} \\{g_{2}\left( {\alpha,\beta,} \right)}\end{matrix},} \right.$ wherein g₁(α,β,γ) is the numerical fitting of$\frac{{h_{3}(\gamma)} \cdot \left\lbrack {{f(\alpha)} + {\gamma \cdot {f(\beta)}}} \right\rbrack}{f\left( {h_{1}\left( {\alpha,\beta} \right)} \right)},$g₂(α,β) is the numerical fitting of$\frac{{f(\alpha)} \cdot {f(\beta)}}{f\left( {h_{2}\left( {\alpha,\beta} \right)} \right)},$α

β∈X, h₁(α,β), h₂(α,β) and h₃(α,β) are any functions that satisfyh₁(α,β)≠h₂(α,β)≠h₃(α,β)≠α≠β; the corresponding homomorphic operationcomprises: i) addition and subtraction between ciphertext andciphertext: C_(r)=C₂±C₁, C_(r)={A_(r), X_(r), B_(r)}, wherein:${A_{r} = \left\{ {a_{ri}{i \in I}} \right\}},\mspace{14mu} {a_{ri} = {a_{2\; i} \cdot {{g_{1}\left( {x_{2\; i},x_{1\; i},{\pm \frac{a_{1\; i}}{a_{2\; i}}}} \right)}/{h_{3}\left( {\pm \frac{a_{1\; i}}{a_{2\; i}}} \right)}}}},{X_{r} = \left\{ {x_{ri}{i \in I}} \right\}},\mspace{14mu} {x_{ri} = {h_{1}\left( {x_{2\; i},x_{1\; i}} \right)}},{{B_{r} = {B_{2} \pm B_{1}}};}$ii) multiplication between ciphertext and ciphertext: C_(r)=C₃·C₄,C_(r)={A_(r), X_(r), B_(r)}, wherein:A _(r) ={a _(rij) |i∈I,j∈I}∪{B ₄ ·a _(3i) |i∈I}∪{B ₃ ·a _(4i) |j∈I},a_(rij) =a _(3i) ·a _(4j) ·g ₂(x ₃ ,x ₄),X _(r) ={x _(rij) |i∈I,j∈I}∪{x _(3i) |i∈I}∪{x _(4j) |j∈I},x _(rij) =h₂(x _(3i) ,x _(4j)),B _(r) =B ₃ ·B ₄; ii) division between ciphertext and ciphertext:C_(r)=C_(a)/C_(b), C_(r)={A₅, X₅, B₅, A₆, X₆, B₆}, wherein:A ₅ ={a _(5ij) |i∈I,j∈I}∪{B ₃ ·a _(1i) |i∈I}∪{B ₁ ·a _(3j) |j∈I},a_(5ij) =a _(1i) ·a _(3j) ·g ₂(x ₁ ,x ₃)X ₅ ={x _(5ij) |i∈I,j∈I}∪{x _(1i) |i∈I}∪{x _(3j) |j∈I},x _(5ij) =h ₂(x_(1i) ,x _(3j)),B ₅ =B ₁ ·B ₃,A ₆ ={a _(6ij) |i∈I,j∈I}∪{B ₄ ·a _(2i) |i∈I}∪{B ₂ ·a _(4j) |j∈I},a_(6ij) =a _(2i) ·a _(4j) ·g ₂(x ₂ ,x ₄),X ₆ ={x _(6ij) |i∈I,j∈I}∪{x _(2i) |i∈I}∪{x _(4j) |j∈I},x _(6ij) =h ₂(x_(2i) ,x _(4j)),B ₆ =B ₂ ·B ₄.
 12. The polynomial complete homomorphic encryption methodas claimed in claim 6, characterized in that the operation supportingfunction G comprises $\left\{ {\begin{matrix}{g_{1}\left( {\alpha,\beta} \right)} \\{g_{2}\left( {\alpha,\beta} \right)} \\{g_{3}\left( {\alpha,\beta} \right)} \\{g_{4}\left( {\alpha,\beta} \right)} \\{g_{5}\left( {\alpha,\beta} \right)} \\{g_{6}\left( {\alpha,\beta} \right)}\end{matrix},} \right.$ wherein: g₁(α,β) is the numerical fitting of$\frac{{f(\alpha)} \cdot {f\left( {h_{3}\left( {\alpha,\beta} \right)} \right)}}{f_{2}\left( {h_{1}\left( {\alpha,\beta} \right)} \right)},$g₂(α,β) is the numerical fitting of$\frac{{f(\beta)} \cdot {f\left( {h_{3}\left( {\alpha,\beta} \right)} \right)}}{f_{2}\left( {h_{2}\left( {\alpha,\beta} \right)} \right)},$g₃(α,β) is the numerical fitting of$\frac{f_{2}(\alpha)}{f\left( {h_{4}\left( {\alpha,\beta} \right)} \right)},$g₄(α,β) is the numerical fitting of$\frac{f_{2}(\beta)}{f\left( {h_{4}\left( {\alpha,\beta} \right)} \right)}$g₅(α,β) is the numerical fitting of g$\frac{{f(\alpha)} \cdot {f(\beta)}}{f\left( {h_{5}\left( {\alpha,\beta} \right)} \right)},$g₆(α,β) is the numerical fitting of$\frac{f(\alpha)}{{f(\beta)} \cdot {f\left( {h_{6}\left( {\alpha,\beta} \right)} \right)}},$α

β∈X, h₁(α,β), h₂(α,β), h₃(α,β) and h₄(α,β) are any functions thatsatisfy h₁(α,β)≠h₂(α,β)≠h₃(α,β)≠h₄(α,β)≠α≠β; ƒ₂( ) is randomly generatedfunction used for encrypting the operation supporting function, thecorresponding homomorphic operation comprises: i) addition andsubtraction between ciphertext and ciphertext: C_(r)=C₂±C₁,C_(r)={A_(r),X_(r), B_(r)}, wherein:A _(r) ={a _(ri) |i∈I},a _(ri) =g ₆ ·[a _(2i) ·g ₁(x _(2i) ,x _(1i))·g ₃(h ₁(x _(2i) ,x_(1i)),h ₂(x _(2i) ,x _(1i)))±a _(1i) ·g ₂(x _(2i) ,x _(1i))·g ₄(h ₁(x_(2i) ,x _(1i)),h ₂(x _(2i) ,x _(1i)))],X _(r) ={x _(ri) |i∈I},x _(ri) =h ₆(h ₄(h ₁(x _(2i) ,x _(1i)),h ₂(x _(2i) ,x _(1i))),h ₃(h ₁(x_(2i) ,x _(1i))),h ₂(x _(2i) ,x _(1i)))),B _(r) =B ₂ ±B ₁; ii) multiplication between ciphertext and ciphertext:C_(r)=C₃·C₄, C_(r)={A_(r), X_(r), B_(r)}, wherein:A _(r) ={a _(rij) |i∈I,j∈I}∪{B ₄ ·a _(3i) |i∈I}∪{B ₃ ·a _(4i) |j∈I},a_(rij) =a _(3i) ·a _(4i) ·g ₂(x ₃ ,x ₄),X _(r) ={x _(rij) |i∈I,j∈I}∪{x _(3i) |i∈I}∪{x _(4j) |j∈I},x _(rij) =h₂(x _(3i) ,x _(4j))B _(r) =B ₃ ·B ₄; ii) division between ciphertext and ciphertext:C_(r)=C_(a)/C_(b), C_(r)={A₅, X₅, B₅, A₆, X₆, B₆}, wherein:A ₅ ={a _(5ij) |i∈I,j∈I}∪{B ₃ ·a _(1i) |i∈I}∪{B ₁ ·a _(3j) |j∈I},a_(5ij) =a _(1i) ·a _(3j) ·g ₅(x ₁ ,x ₃),X ₅ ={x _(5ij) |i∈I,j∈I}∪{x _(1i) |i∈I}∪{x _(3j) |j∈I},x _(5ij) =h ₂(x_(1i) ,x _(3j)),B ₅ =B ₁ ·B ₃,A ₆ ={a _(6ij) |i∈I,j∈I}∪{B ₄ ·a _(2i) |i∈I}∪{B ₂ ·a _(4j) |j∈I},a_(6ij) =a _(2i) ·a _(4j) ·g ₂(x ₂ ,x ₄),X ₆ ={x _(6ij) |i∈I,j∈I}∪{x _(2i) |i∈I}∪{x _(4j) |j∈I},x _(6ij) =h ₅(x_(2i) ,x _(4j)),B ₆ =B ₂ ·B ₄.
 13. The polynomial complete homomorphic encryption methodas claimed in claim 5, characterized in that the composite function ƒ( )is a periodic function.